User Identification Issues **Featured Article**
- Article Number: 000016035
- Products: Forcepoint URL Filtering, Forcepoint V10000 Appliance, Forcepoint V20000 Appliance, Forcepoint V5000 Appliance, Forcepoint Virtual Appliance, Forcepoint Web Security, Forcepoint Web Security Cloud, Forcepoint Web Security Endpoint, Forcepoint Web Security Endpoint Cloud, Forcepoint X Series Appliance, TRITON AP-ENDPOINT Web, TRITON AP-WEB, Web Filter & Security, Web Security Gateway, Web Security and Web Filter
- Version: 8.5, 8.4, 8.3, 8.2, 8.1, 8.0, 7.8, 7.7
- Last Published Date: June 19, 2020
Notes & Warnings
Important The KB Articles provided may require you to login to https://support.forcepoint.com to view. If you do not have an account, please Create a Customer Account. If you have an account but cannot log in, Contact Support for assistance.
Note This information only applies to Web deployments that connect with Active Directory.
If a user is getting blocked from websites they should be able to access, or are seeing pop ups asking for a login when going to websites, this may be a problem with identifying who they are so they get the right policy that allows those websites.
How to tell if someone isn't identifiedWhen a user receives a block page, if you click "more information", then right click the category for the site showing, and use "View Frame Source" or "View Page Source", you can see the actual information from the block page to show who the Filtering Service thinks they are. If under "User Name" you see an LDAP path with their actual user information, the user is indeed identified, though make sure it’s the right user name. If you do not see LDAP information but instead just see the IP address, this means they are not identified.
For more detail including screen shots and an example of the user information, see How do block pages work?
You may also use Real-Time Monitor to see if a user name or IP address is present; an IP would mean not identified. If using multiple policy servers, ensure you have switched to the correct Policy Server that the user is going through for their filtering. For details, see Real-Time Monitor.
Some traffic may not have identification, such as Linux servers, cellphones, tablets and anything else that does not connect to Active Directory and will always display as an IP address.
Determine Identification Method In UseFor instructions on how to locate the identification method in the deployment, see Determining Identification Method.
The Identification Methods covered in this article:
Identification Methods and TroubleshootingDC Agent (Windows based)
TroubleshootingDC Agent cannot retrieve user data after Windows update
This article is the most common problem with DC Agent providing no or intermittent identification for users. The "About the Hotfix" section is the same troubleshooting for DC Agent if on v8.4 or higher as well. If using v8.1 or older, the deployment must be upgraded in order to affect the fixes for DC Agent to have it function as expected. For information on upgrading, see Upgrade Centers for v7.8 to 8.x.
DC Agent not working properly since upgrading Active Directory
This article provides a list of what Active Directory version is supported per Forcepoint version. This information is also found in the System Requirements page for the version of Forcepoint software deployed.
ConfigurationIdentification and authentication of hybrid users
TroubleshootingHybrid error message 3002: "Duplicate email address"
This article addresses a common failure to synchronize user data to the Cloud as the information is already present.
Hybrid error message 3004: "Not Found For Modification or Deletion"
This article addresses a common failure to synchronize user data to the Cloud as the information has changed and needs to be removed.
ConfigurationContent Gateway user authentication
TroubleshootingFailed to Join Domain
Common causes which are part of the setup documentation at Content Gateway user authentication:
Error: Clients may not be able to perform Kerberos authentication" displayed when joining the domain under IWA
This article is for the error message above in Content Gateway. This will not stop the join of IWA or Rule Based Authentication as NTLM communication will be used.
Kerberos and Integrated Windows Authentication in a load balanced environment
This article is for when a load balancer such as an F5 is in use in the environment and there is more than one proxy using IWA or Rule Based Authentication present.
Authenticate or Identify Mac Users for User or Group Based Filtering
This article discusses the methods for identifying Mac, iPhone and iPad users in IWA and DC Agent environments.
Users are prompted for credentials when using NTLM proxy authentication with Firefox
This article is for users with Firefox who are receiving authentication prompts. Unlike Internet Explorer and Chrome, Firefox does not necessarily use the settings in Internet Options.
IWA is prompting transparent proxied users for authentication
This article is for users where Transparent Proxy (WCCP) is in use and authentication prompts happen, but they do not happen when explicitly proxied. Note: At the top of the article, the location of where to put the FQDN for explicit users (such as a PAC file) is present.
Keywords: authentication; identification; xid; proxy; content gateway; transparent; prompt; iwa; kerberos; ntlm; user identification issue; user access issue; users incorrectly blocked